---
layout: docs
page_title: Vault CSI provider configurations
description: >-
   Learn about the command line arguments and the secret provider class parameters supported by the Vault CSI provider.
---

# Vault CSI provider configurations

The following command line arguments are supported by the Vault CSI provider.
Most settings support being set by, in ascending order of precedence:

- Environment variables
- Command line arguments
- Secret Provider Class parameters

If installing via the helm chart, they can be set using e.g.
`--set "csi.extraArgs={-debug=true}"`.

- `-cache-size` `(int: 1000)` - Set the maximum number of Vault tokens that will
  be cached in-memory. One Vault token will be stored for each pod on the same
  node that mounts secrets. Setting to 0 will disable the cache and force each
  volume mount request to reauthenticate to Vault.

- `-debug` `(bool: false)` - Set to true to enable debug level logging.

- `-endpoint` `(string: "/tmp/vault.sock")` - Path to unix socket on which the
  provider will listen for gRPC calls from the driver.

- `-health-addr` `(string: ":8080")` - The address of the HTTP listener
  for reporting health.

- `-hmac-secret-name` `(string: "vault-csi-provider-hmac-key")` - Configure the
  Kubernetes secret name that the provider creates to store an HMAC key for
  generating secret version hashes.

- `-vault-addr` `(string: "https://127.0.0.1:8200")` - Default address
  for connecting to Vault. Can also be specified via the `VAULT_ADDR` environment
  variable. **Note:** It is highly recommended to only set the Vault address when
  installing the helm chart. The helm chart will install Vault Agent as a sidecar
  to the Vault CSI Provider for caching and renewals, but setting `-vault-addr`
  here will cause the Vault CSI Provider to bypass the Agent's cache.

- `-vault-mount` `(string: "kubernetes")` - Default Vault mount path
  for Kubernetes authentication. Can be overridden per Secret Provider Class
  object.

- `-vault-namespace` `(string: "")` - (v1.1.0+) Default Vault namespace for Vault
  requests. Can also be specified via the `VAULT_NAMESPACE` environment variable.

- `-vault-tls-ca-cert` `(string: "")` - (v1.1.0+) Path on disk to a single
  PEM-encoded CA certificate to trust for Vault. Takes precedence over
  `-vault-tls-ca-directory`. Can also be specified via the `VAULT_CACERT`
  environment variable.

- `-vault-tls-ca-directory` `(string: "")` - (v1.1.0+) Path on disk to a
  directory of PEM-encoded CA certificates to trust for Vault. Can also be
  specified via the `VAULT_CAPATH` environment variable.

- `-vault-tls-server-name` `(string: "")` - (v1.1.0+) Name to use as the SNI
  host when connecting to Vault via TLS. Can also be specified via the
  `VAULT_TLS_SERVER_NAME` environment variable.

- `-vault-tls-client-cert` `(string: "")` - (v1.1.0+) Path on disk to a
  PEM-encoded client certificate for mTLS communication with Vault. If set,
  also requires `-vault-tls-client-key`. Can also be specified via the
  `VAULT_CLIENT_CERT` environment variable.

- `-vault-tls-client-key` `(string: "")` - (v1.1.0+) Path on disk to a
  PEM-encoded client key for mTLS communication with Vault. If set, also
  requires `-vault-tls-client-cert`. Can also be specified via the
  `VAULT_CLIENT_KEY` environment variable.

- `-vault-tls-skip-verify` `(bool: false)` - (v1.1.0+) Disable verification of
  TLS certificates. Can also be specified via the `VAULT_SKIP_VERIFY` environment
  variable.

- `-version` `(bool: false)` - print version information and exit.


# Secret provider class parameters

The following parameters are supported by the Vault provider. Each parameter is
an entry under `spec.parameters` in a SecretProviderClass object. The full
structure is illustrated in the [examples](/vault/docs/platform/k8s/csi/examples).

- `roleName` `(string: "")` - Name of the role to be used during login with Vault.

- `vaultAddress` `(string: "")` - The address of the Vault server. **Note:** It is
  highly recommended to only set the Vault address when installing the helm chart.
  The helm chart will install Vault Agent as a sidecar to the Vault CSI Provider
  for caching and renewals, but setting `vaultAddress` here will cause the Vault
  CSI Provider to bypass the Agent's cache.

- `vaultNamespace` `(string: "")` - The Vault [namespace](/vault/docs/enterprise/namespaces) to use.

- `vaultSkipTLSVerify` `(string: "false")` - When set to true, skips verification of the Vault server
  certificate. Setting this to true is not recommended for production.

- `vaultCACertPath` `(string: "")` - The path on disk where the Vault CA certificate can be found
  when verifying the Vault server certificate.

- `vaultCADirectory` `(string: "")` - The directory on disk where the Vault CA certificate can be found
  when verifying the Vault server certificate.

- `vaultTLSClientCertPath` `(string: "")` - The path on disk where the client certificate can be found
  for mTLS communications with Vault.

- `vaultTLSClientKeyPath` `(string: "")` - The path on disk where the client key can be found
  for mTLS communications with Vault.

- `vaultTLSServerName` `(string: "")` - The name to use as the SNI host when connecting via TLS.

- `vaultAuthMountPath` `(string: "kubernetes")` - The name of the auth mount used for login.
  Can be a Kubernetes or JWT auth mount. Mutually exclusive with `vaultKubernetesMountPath`.

- `vaultKubernetesMountPath` `(string: "kubernetes")` - The name of the auth mount used for login.
  Can be a Kubernetes or JWT auth mount. Mutually exclusive with `vaultAuthMountPath`.

- `audience` `(string: "")` - Specifies a custom audience for the requesting pod's service account token,
  generated using the
  [TokenRequest API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/#TokenRequestSpec).
  The resulting token is used to authenticate to Vault, so if you specify an
  [audience](/vault/api-docs/auth/kubernetes#audience) for your Kubernetes auth
  role, it must match the audience specified here. If not set, the token audiences will default to
  the Kubernetes cluster's default API audiences.

- `objects` `(array)` - An array of secrets to retrieve from Vault.

  - `objectName` `(string: "")` - The alias of the object which can be referenced within the secret provider class and
  the name of the secret file.

  - `method` `(string: "GET")` - The type of HTTP request. Supported values include "GET" and "PUT".

  - `secretPath` `(string: "")` - The path in Vault where the secret is located.
    For secrets that are retrieved via HTTP GET method, the `secretPath` can include optional URI parameters,
    for example, the [version of the KV2 secret](/vault/api-docs/secret/kv/kv-v2#read-secret-version):

    ```yaml
    objects: |
      - objectName: "app-secret"
        secretPath: "secret/data/test?version=1"
        secretKey: "password"
    ```

  - `secretKey` `(string: "")` - The key in the Vault secret to extract. If omitted, the whole response from Vault will be written as JSON.

  - `filePermission` `(integer: 0o644)` - The file permissions to set for this secret's file.

  - `encoding` `(string: "utf-8")` - The encoding of the secret value. Supports decoding `utf-8` (default), `hex`, and `base64` values.

  - `secretArgs` `(map: {})` - Additional arguments to be sent to Vault for a specific secret. Arguments can vary
    for different secret engines. For example:

    ```yaml
    secretArgs:
      common_name: 'test.example.com'
      ttl: '24h'
    ```

    ~> `secretArgs` are sent as part of the HTTP request body. Therefore, they are only effective for HTTP PUT/POST requests, for instance,
        the [request used to generate a new certificate](/vault/api-docs/secret/pki#generate-certificate).
        To supply additional parameters for secrets retrieved via HTTP GET, include optional URI parameters in [`secretPath`](#secretpath).
